Sourcefire VRT Rules Update

Date: 2007-10-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
12652 <-> SPYWARE-PUT Hijacker new.net domain 7.2.2 runtime detection - hijack browser (spyware-put.rules)
12653 <-> SPYWARE-PUT Hijacker new.net domain 7.2.2 runtime detection - download code (spyware-put.rules)
12654 <-> SPYWARE-PUT Hijacker rabio 4.2 runtime detection - hijack browser (spyware-put.rules)
12655 <-> SPYWARE-PUT Hijacker rabio 4.2 runtime detection - download updates (spyware-put.rules)
12656 <-> SPYWARE-PUT Adware icoo loader 2.5 runtime detection 1 (spyware-put.rules)
12657 <-> SPYWARE-PUT Adware icoo loader 2.5 runtime detection 2 (spyware-put.rules)
12658 <-> SPYWARE-PUT Adware winantivirus pro 2007 runtime detection (spyware-put.rules)
12659 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - automatic updates (spyware-put.rules)
12660 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - download redirect domains (spyware-put.rules)
12661 <-> BACKDOOR troll.a runtime detection (backdoor.rules)
12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules)
12664 <-> MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt (misc.rules)
12665 <-> EXPLOIT CA BrightStor LGSerer username buffer overflow attempt (exploit.rules)
12666 <-> EXPLOIT HP OpenView OVTrace buffer overflow attempt (exploit.rules)
12667 <-> EXPLOIT CA BrightStor ARCServer malicious fileupload attempt (exploit.rules)
12668 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (web-client.rules)
12669 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (web-client.rules)
12670 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (web-client.rules)
12671 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (web-client.rules)

Updated rules:
10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules)
10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules)
10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules)
11223 <-> WEB-MISC google proxystylesheet arbitrary command execution attempt (web-misc.rules)
12008 <-> DELETED VOIP-SIP Request Too Small (deleted.rules)